CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
51.4%
According to its self-reported version the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by an authentication bypass vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and AnyConnect Remote Access VPN.
The vulnerability is due to improper credential management when using NT LAN Manager (NTLM) or basic authentication. An attacker could exploit this vulnerability by opening a VPN session to an affected device after another VPN user has successfully authenticated to the affected device via SAML SSO. A successful exploit could allow the attacker to connect to secured networks behind the affected device.
(CVE-2019-1714)
Please see the included Cisco BID and Cisco Security Advisory for more information.
#TRUSTED 7e0dbf02528a0ed145bb0890f2abbaed218bda7561e67fe95a263fa2fb417819033bcf34bbb17c93bae87003d07ecdc88376cc1d1ce5e866ffd52cb0ad46942d64223de78a0564075c2f92aa8174e50f76214a2149358a5768851cacd71065796a768437ce5f2358fcf2f8891da83ea26e34cdb9fbbbf0aeec02ba4a8e985d114992dcd63c4894039c860175cb3e241af186e9725544b2e99ba7477299ff8399d55ad5988166ed0fee8cc37c77967d2863410e688628c0b3d0218536c62be6414b3e7645330b26d181dbb918bc3a98a815dde41f609e333fbdc94157bce960267063f57fbed1b31980f24d7354808886741dd0350416517161a997b2e6171ffc160f6e6a871283f433e98f0194b75f34593f214bac1ab9c4d29bd4303e6852b4d7606905daa78254c5fade888d3b75e21b90b47719a183c2ea961419e8b80c7afffed3bcade0ebf4788248d7a44a2f850dc63a1e8d672b0cdf61a5250a761c7165cff0016d051c42b41ccc1163307f5d3ad64a71d53c1cfba6ab64f1d234bdcd366c13685b00d71474706a295171fbd0f1d1c15e3d8e10c40bded6add82b3b388cc20fa5b3bbd36c17fb1f3ef4b0956c90b99acc3364981132be920a87748c359f1412eef003b68462b786781ef10d8d6c5ba943edcefd11581518c9987358e706c69be50b2de634b1679bee898f0430629bec3f0e7e51a7fc8d33752ed71867
#TRUST-RSA-SHA256 74ada2e486ac44ee7b0a3fed62182e1ee31bc352dc7e0b615b5bba0ae84d66602c285371920e013988a5fbe7e15faa3b7fb78169869b5634a170526acfefbc96de1cf47f9ef9e9148205269a2c8fde202790047c55f24c5d64365b1506a4f0825ca71bd512b0877dd622d0e6462ea87d213ab9365500af81abf7be64ded8ace27b2345245d6d6d1bebcd4d48cff7502d987bc967535bdbb08dc660c14a5704bb7f7ebc870d66fc0ef8ce6039ff1920a21db96025ce1f0dc89f9ed2cf1fc68df0285b3a0e86e8333fdbaa510c94d6c62b3fef331f080616913996fec2aa3167b883bfdde81140607f4bed22ee8fce06939b938d6dabc71e06236d383883da47d752bee8215e7bee77c441a5970f9e40ee3aa33e186a63544b4b3e9995e75397a4e75ae1ed7d748caaa317ffd129209f4d4e5460a94399cb5b9b82710d20173472f70cb47c8bf78b14a96455bb8df808957c0dc0989e2011f6960ffecc8a9c892f6526e298fc7e8b0b09a643721bc21d3009a9603e9381f081662d8a78ec27eeca87ecf7dd4302ba6a1e292839e2d5f0d1980aa2ecad5e1c4cab72caa60361e36ede18cd453e173d3821ebcf0dd27c692f14e59883091c01b286e8557c2e04f1cd10362994ac3eb41c7f7a1354906ce1c7b53fdaa9eab0893bd838b45ee05a1668f9505933fe6080fd60a3b8c4d3475f573f8ee502f081029930359d2afd3c029d
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(128063);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/03/31");
script_cve_id("CVE-2019-1714");
script_bugtraq_id(108185);
script_xref(name:"CISCO-BUG-ID", value:"CSCvn72570");
script_xref(name:"CISCO-SA", value:"cisco-sa-20190501-asaftd-saml-vpn");
script_xref(name:"IAVA", value:"2019-A-0271-S");
script_name(english:"Cisco Adaptive Security Appliance VPN SAML Authentication Bypass Vulnerability (cisco-sa-20190501-asaftd-saml-vpn)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version the Cisco Adaptive Security
Appliance (ASA) software running on the remote device is affected by
an authentication bypass vulnerability in the implementation of
Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO)
for Clientless SSL VPN (WebVPN) and AnyConnect Remote Access VPN.
The vulnerability is due to improper credential management when using
NT LAN Manager (NTLM) or basic authentication. An attacker could
exploit this vulnerability by opening a VPN session to an affected
device after another VPN user has successfully authenticated to the
affected device via SAML SSO. A successful exploit could allow the
attacker to connect to secured networks behind the affected device.
(CVE-2019-1714)
Please see the included Cisco BID and Cisco Security Advisory for
more information.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bb85a40");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn72570");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvn72570.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1714");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(255);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/01");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:firepower_threat_defense");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");
exit(0);
}
include('ccf.inc');
include('cisco_workarounds.inc');
if (report_paranoia < 2)
audit(AUDIT_PARANOID);
var product_info = cisco::get_product_info(name:"Cisco Adaptive Security Appliance (ASA) Software");
if (
product_info.model !~ '^30[0-9][0-9]($|[^0-9])' && # 3000 ISA
product_info.model !~ '^55[0-9][0-9]-X' && # 5500-X
product_info.model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500
product_info.model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600
product_info.model != 'v' && # ASAv
product_info.model !~ '^21[0-9][0-9]($|[^0-9])' && # Firepower 2100 SSA
product_info.model !~ '^41[0-9][0-9]($|[^0-9])' && # Firepower 4100 SSA
product_info.model !~ '^93[0-9][0-9]($|[^0-9])' # Firepower 9300 ASA
) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product");
var vuln_ranges = [
{'min_ver' : '9.7', 'fix_ver' : '9.8(4)'},
{'min_ver' : '9.8', 'fix_ver' : '9.8(4)'},
{'min_ver' : '9.9', 'fix_ver' : '9.9(2.50)'},
{'min_ver' : '9.10', 'fix_ver' : '9.10(1.17)'}
];
var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = WORKAROUND_CONFIG['show_webvpn_saml_idp'];
var reporting = make_array(
'port' , 0,
'severity' , SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCvn72570',
'cmds' , make_list('show webvpn saml idp')
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_ranges:vuln_ranges
);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
51.4%